Finding the cause of a permission denied which doesn't appear in the logcat

[DevelMan]

I'm developing a native app for Android, and I'm occasionally confronted with permission denied which doesn't trigger a log in the logcat logs. For example, trying to run:

shell@kltevzw:/ $ cat /proc/1/maps
/system/bin/sh: cat: /proc/1/maps: Permission denied

from the adb shell prompt results in a permission denied message sent to stderr, but nothing appears in the logcat. It's not a unix permissions problem as well, as anyone should be able to read the file:

shell@kltevzw:/ $ ls -lZ /proc/1/maps
-r--r--r-- root root u:r:init:s0 maps

It happens in some other situations as well, in which I have less control of the environment. Is it possible that this is caused by some dontaudit rules in the policy? I ran sesearch --dontaudit /sepolicy but didn't find there any relevant rules. Does anyone here know why are some denials sent to the log and some don't, and how to debug such cases?

Thanks!

 

[Deleted User]

That's not a regular file.

https://groups.google.com/forum/#!topic/comp.os.linux.development.system/RAPRvAocEtU

 

[GameTheory]

I'm developing a native app for Android, and I'm occasionally confronted with permission denied which doesn't trigger a log in the logcat logs. For example, trying to run:

shell@kltevzw:/ $ cat /proc/1/maps
/system/bin/sh: cat: /proc/1/maps: Permission denied

from the adb shell prompt results in a permission denied message sent to stderr, but nothing appears in the logcat. It's not a unix permissions problem as well, as anyone should be able to read the file:

shell@kltevzw:/ $ ls -lZ /proc/1/maps
-r--r--r-- root root u:r:init:s0 maps

It happens in some other situations as well, in which I have less control of the environment. Is it possible that this is caused by some dontaudit rules in the policy? I ran sesearch --dontaudit /sepolicy but didn't find there any relevant rules. Does anyone here know why are some denials sent to the log and some don't, and how to debug such cases?

Thanks!

You did not specify if your app is a root app or not.

After android 6 there were some security improvements and apps outside of system now fall under the domain - untrusted_app. Apps under this domain do not have read access to system or sysfs files. This means you will not be able to use RandomAccessFile, BufferedReader, Scanner, or linux utilities like cat.

If you want to have unfettered access to sysfs or system files or any file that falls under the secontext not accessible by untrusted_app domain, you will have to make a root app. I can cat any file without restriction in my root apps. Prior to android 6 I was using RandomAccessFile.

If you want to see a log for this use a java built-in rather than cat. This will at least give you a log for further researching.

Your log will contain something close to this...

avc: denied (blah blah blah) scontext=u:r:untrusted_app:s0:c512,c768 (blah blah blah) permission denied

 

[DevelMan]

Thanks for the answers!